svn commit: r347933 - head/sys/security/mac_veriexec
Stephen J. Kiernan
stevek at FreeBSD.org
Fri May 17 17:50:02 UTC 2019
Author: stevek
Date: Fri May 17 17:50:01 2019
New Revision: 347933
URL: https://svnweb.freebsd.org/changeset/base/347933
Log:
Ensure we have obtained a lock on the process before calling
mac_veriexec_get_executable_flags(). Only try locking/unlocking if the caller
has not already acquired the process lock.
Obtained from: Juniper Networks, Inc.
MFC after: 1 week
Modified:
head/sys/security/mac_veriexec/mac_veriexec.c
Modified: head/sys/security/mac_veriexec/mac_veriexec.c
==============================================================================
--- head/sys/security/mac_veriexec/mac_veriexec.c Fri May 17 17:21:32 2019 (r347932)
+++ head/sys/security/mac_veriexec/mac_veriexec.c Fri May 17 17:50:01 2019 (r347933)
@@ -823,9 +823,18 @@ mac_veriexec_set_state(int state)
int
mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p)
{
- int error, flags;
+ int already_locked, error, flags;
+ /* Make sure we lock the process if we do not already have the lock */
+ already_locked = PROC_LOCKED(p);
+ if (!already_locked)
+ PROC_LOCK(p);
+
error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
+
+ /* Unlock the process if we locked it previously */
+ if (!already_locked)
+ PROC_UNLOCK(p);
/* Any errors, deny access */
if (error != 0)
More information about the svn-src-head
mailing list